Bug 1035006 - (CVE-2017-1000353) VUL-0: CVE-2017-1000353: jenkins: Unauthenticated remote code execution via unserialized Java
(CVE-2017-1000353)
VUL-0: CVE-2017-1000353: jenkins: Unauthenticated remote code execution via u...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: J. Daniel Schmidt
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-19 15:38 UTC by Johannes Segitz
Modified: 2017-05-05 11:41 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Johannes Segitz 2017-04-21 07:35:07 UTC
SECURITY-429: CLI: Unauthenticated remote code execution An unauthenticated remote code execution vulnerability allowed attackers to transfer a serialized Java `SignedObject` object to the Jenkins CLI, that would be deserialized
using a new `ObjectInputStream`, bypassing the existing blacklist-based protection mechanism. We're fixing this issue by adding `SignedObject` to the blacklist. We're also backporting the new HTTP CLI protocol from Jenkins 2.54 to LTS 2.46.2, and deprecating the remoting-based (i.e. Java serialization) CLI protocol, disabling it by default.

is CVE-2017-1000353
Comment 3 Marcus Meissner 2017-04-27 15:15:57 UTC
now public